Paper 2023/776

Quantum Attacks on Type-1 Generalized Feistel Schemes

Hong-Wei Sun, Beijing University of Posts and Telecommunications
Bin-Bin Cai
Su-Juan Qin
Qiao-Yan Wen
Fei Gao

Generalized Feistel schemes (GFSs) are extremely important and extensively researched cryptographic schemes. In this paper, we investigate the security of Type-1 GFS in quantum circumstances. On the one hand, in the qCCA setting, we give a new quantum polynomial-time distinguisher on $(d^2-1)$-round Type-1 GFS with branches $d\geq3$, which extends the previous results by $(d-2)$ rounds. This leads to a more efficient analysis of type-1 GFS, that is, the complexity of some previous key-recovery attacks is reduced by a factor of $2^{\frac{(d-2)k}{2}}$, where $k$ is the key length of the internal round function. On the other hand, for CAST-256, which is a certain block cipher based on Type-1 GFS, we give a 17-round quantum distinguisher in the qCPA setting. Based on this, we construct an $r (r>17)$-round quantum key-recovery attack with complexity $O(2^{\frac{37(r-17)}{2}})$.

Available format(s)
Attacks and cryptanalysis
Publication info
Generalized Feistel schemeCAST-256Simon algorithmQuantum cryptanalysisQuantum algorithm
Contact author(s)
Sunhw @ bupt edu cn
2023-08-17: revised
2023-05-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hong-Wei Sun and Bin-Bin Cai and Su-Juan Qin and Qiao-Yan Wen and Fei Gao},
      title = {Quantum Attacks on Type-1 Generalized Feistel Schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2023/776},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.